J.D. Fox Exec Resource Center

Taking Control of Your Data

Information Security is not only about keeping information private. In our modern era, it's easier than ever for a company without an adequate Information Security program to lose control of its data to the point no one knows where it is, and it may get lost forever.

Introduction

When considering Information Security, most likely you think about confidentiality of customer and employee lists, strategic and marketing plans, financial data, products in development, and your passwords—keeping this information from those who are not authorized to see it.

Two other primary aspects of managing information security, which are less often discussed, are integrity and availability.

Integrity deals with ensuring your company's information is accurate, and not subject to unauthorized or accidental modification.

This article covers the topic of availability. Availability refers to your applications and data being accessible to employees and customers when they need it. To ensure availability, this traditionally means backup power and redundancy for your servers, backup Internet access, and logical redundancy such as database mirroring. For files, data, and applications in the cloud, however, maintaining availability presents a tremendous challenge without management control, best accomplished by establishing an Information Security program.

How Information Is Lost

Back when users sat down at a desktop computer and logged in to the corporate network, confidentiality was a primary management-level concern. Permissions had to be set correctly, and measures taken to prevent users from e-mailing data outside the company. Protecting integrity of data generated by employees was supported by data backup systems managed by the IT department, which can mitigate an employee's accidental or malicious deletion or corruption of data. Availability was almost entirely the concern of IT as well; there was little a user could do to bring down the company applications or block everyone's access to a shared folder.

Today, there are thousands of easily accessible cloud-based applications your company's employees can sign up for in minutes using their web browser and e-mail address. They do this to keep customer lists, spin up virtual machines to run server applications, store code they're working on for version control, share files or presentations using their preferred method or a method requested by your customers, and convert files from one format to another. All of these involve uploading your company's data, or creating it from scratch in the cloud, and very often the data in these cloud services is the only copy that exists.

Employees do this in order to be productive, but when employees sign up for services without knowledge of your IT team, this raises several problems:

Lack of ability to back up. You may have a cloud-based backup of data stored in your company's sanctioned main storage system. But this cannot back up individual accounts your employees sign up for, especially if you don't know about them.

If an employee saves documents, notes, charts, and logs of his work in the most convenient system, instead of using your company storage, then others who need to see them may not even know they exist. The value of your employee's work having created or collected this information is thereby diminished. Although you would think an employee would tell others about what he produced, this is commonly not the case—especially if you consider the fact that if the employee doesn't think anything of storing data in a private location for his convenience, he is unlikely to proactively think about who might need to see it.

In the event your company is required to turn over records as part of a lawsuit, your company could be sanctioned if you can't manage to track down all the information you were supposed to provide.

Data can easily be lost forever. Many employees sign up for accounts under their private e-mail addresses, so if they leave the company, the data goes with them, and there is nothing you can do to get it back, short of taking legal action. Even if the employee used his business e-mail address (which your company controls after the employee leaves), there are still impediments to retrieving data or access to the application he signed up for. For example, the employee may have set up two-factor authentication, so your business e-mail and his privately-owned cell phone are required to access the account. Or, if your IT manager deletes the departed employees' e-mail account before you know about a cloud service he signed up for, recovery of access to that cloud service may require manual intervention by the provider to recover the account, if it is even possible, for technical reasons we won't detail here.

All of these are new challenges to data availability that didn't exist before the rise of the cloud era. In fact, loss of data due to lack of control is a much more prevalent and real threat than malicious "hacks" (such as malware or phishing), despite the high-profile nature of the latter.

Additional Consequences

Although this article covers availability challenges in the cloud era, keep in mind that not knowing where your data is, let alone failing to control it, means you have no way to ensure that the services where it resides are secure from confidentiality breaches.

Even if employees pick well-established cloud providers, all of these systems are designed to make sharing easy, meaning it's also easy for an employee, through inattention, to accidentally share files with people who are not supposed to see it. And if an employee puts a list of passwords, or private information of your customers, in a file storage system which is then breached, what repercussions could you expect?

Even if there's no breach yet, your business very likely suffers losses due to duplicated costs, typically when a user signs up for a service, with department-level approval to use the company credit card, for a service that is already available in your company but the user and her manager didn't know about.

Solutions

To address this, you need to know what's going on and control it, and it has to be done in a systematic manner. Issuing an order to your employees not to use any cloud providers except centrally controlled login accounts created by your IT team might seem like a panacea, but the two problems with this are:

If there is no enforcement mechanism or system for monitoring compliance, it will be ignored; and

If your users do fully comply, but suitable tools aren't provided to meet the needs they had that caused them to sign up for third-party systems, then productivity will suffer.

So you need to do some discovery, to figure out what the users' needs are, and what they've done already to meet them that needs to be cleaned up. Then, create a plan. To get the best value of the time spent doing this, this can be done as part of an Information Security program that also addresses the other operational and technical impediments to availability, as well as confidentiality and integrity.